dev-sec · chris-rock · Jun 9, 2015 · Jun 6, 2015 · Jun 8, 2015
diff --git a/roles/ansible-os-hardening/tasks/sysctl.yml b/roles/ansible-os-hardening/tasks/sysctl.yml
@@ -1,146 +1,25 @@
 ---
-- name: Disable IPv4 traffic forwarding.
-  sysctl: name='net.ipv4.ip_forward' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-  when: not os_network_forwarding
-
-- name: Enable IPv4 traffic forwarding again, but only if required.
-  sysctl: name='net.ipv4.ip_forward' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-  when: os_network_forwarding
-
-- name: Disable IPv6 traffic forwarding.
-  sysctl: name='net.ipv6.conf.all.forwarding' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-  when: not (os_network_forwarding and os_network_ipv6_enable)
-
-- name: Enable IPv6 traffic forwarding again, but only if required.
-  sysctl: name='net.ipv6.conf.all.forwarding' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-  when: os_network_forwarding and os_network_ipv6_enable
-
-- name: ignore RAs on Ipv6
-  sysctl: name='net.ipv6.conf.all.accept_ra' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-
-- name: ignore RAs on Ipv6
-  sysctl: name='net.ipv6.conf.default.accept_ra' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-
-- name: Enable RFC-recommended source validation feature.
-  sysctl: name='net.ipv4.conf.all.rp_filter' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-
-- name: Enable RFC-recommended source validation feature.
-  sysctl: name='net.ipv4.conf.default.rp_filter' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-
-- name: Reduce the surface on SMURF attacks. Make sure to ignore ECHO broadcasts, which are only required in broad network analysis.
-  sysctl: name='net.ipv4.icmp_echo_ignore_broadcasts' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-
-- name: There is no reason to accept bogus error responses from ICMP, so ignore them instead.
-  sysctl: name='net.ipv4.icmp_ignore_bogus_error_responses' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-
-- name: Limit the amount of traffic the system uses for ICMP.
-  sysctl: name='net.ipv4.icmp_ratelimit' value=100 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-
-- name: Adjust the ICMP ratelimit to include ping, dst unreachable, source quench, ime exceed, param problem, timestamp reply, information reply
-  sysctl: name='net.ipv4.icmp_ratemask' value=88089 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-
-- name: Disable IPv6 
-  sysctl: name='net.ipv6.conf.all.disable_ipv6' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-  when: not os_network_ipv6_enable
-
-- name: Enable IPv6 as it is needed.
-  sysctl: name='net.ipv6.conf.all.disable_ipv6' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-  when: os_network_ipv6_enable
-
-- name: Protect against wrapping sequence numbers at gigabit speeds
-  sysctl: name='net.ipv4.tcp_timestamps' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-
-- name:  Define restriction level for announcing the local source IP
-  sysctl: name='net.ipv4.conf.all.arp_ignore' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-  when: not os_network_arp_restricted
-
-- name:  Define restriction level for announcing the local source IP
-  sysctl: name='net.ipv4.conf.all.arp_ignore' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-  when: os_network_arp_restricted
-
-- name: Define mode for sending replies in response to received ARP requests that resolve local target IP addresses 
-  sysctl: name='net.ipv4.conf.all.arp_announce' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-  when: not os_network_arp_restricted
-
-- name: Define mode for sending replies in response to received ARP requests that resolve local target IP addresses 
-  sysctl: name='net.ipv4.conf.all.arp_announce' value=2 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-  when: os_network_arp_restricted
-
-- name: RFC 1337 fix F1
-  sysctl: name='net.ipv4.tcp_rfc1337' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-
-- name: Syncookies is used to prevent SYN-flooding attacks.
-  sysctl: name='net.ipv4.tcp_syncookies' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-
-- sysctl: name='net.ipv4.conf.all.shared_media' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-- sysctl: name='net.ipv4.conf.default.shared_media' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-
-- name: Accepting source route can lead to malicious networking behavior, so disable it if not needed.
-  sysctl: name='net.ipv4.conf.all.accept_source_route' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-
-- name: Accepting source route can lead to malicious networking behavior, so disable it if not needed.
-  sysctl: name='net.ipv4.conf.default.accept_source_route' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-
-# Accepting redirects can lead to malicious networking behavior, so disable
-# it if not needed.
-- sysctl: name='net.ipv4.conf.default.accept_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-- sysctl: name='net.ipv4.conf.all.accept_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-- sysctl: name='net.ipv4.conf.all.secure_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-- sysctl: name='net.ipv4.conf.default.secure_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-- sysctl: name='net.ipv6.conf.default.accept_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-- sysctl: name='net.ipv6.conf.all.accept_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-
-# For non-routers: don't send redirects, these settings are 0
-- sysctl: name='net.ipv4.conf.all.send_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-- sysctl: name='net.ipv4.conf.all.send_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-
-- name: log martian packets
-  sysctl: name='net.ipv4.conf.all.log_martians' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-
-# ipv6 config
-# NSA 2.5.3.2.5 Limit Network-Transmitted Configuration
-- sysctl: name='net.ipv6.conf.default.router_solicitations' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-- sysctl: name='net.ipv6.conf.default.accept_ra_rtr_pref' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-- sysctl: name='net.ipv6.conf.default.accept_ra_pinfo' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-- sysctl: name='net.ipv6.conf.default.accept_ra_defrtr' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-- sysctl: name='net.ipv6.conf.default.autoconf' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-- sysctl: name='net.ipv6.conf.default.dad_transmits' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-- sysctl: name='net.ipv6.conf.default.max_addresses' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-
-
-# This settings controls how the kernel behaves towards module changes at
-# runtime. Setting to 1 will disable module loading at runtime.
-# Setting it to 0 is actually never supported.
-- name: This settings controls how the kernel behaves towards module changes at runtime.
-  sysctl: name='kernel.modules_disabled' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-  when: not os_security_kernel_enable_module_loading
-
-# Magic Sysrq should be disabled, but can also be set to a safe value if so
-# desired for physical machines. It can allow a safe reboot if the system hangs
-# and is a 'cleaner' alternative to hitting the reset button.
-# The following values are permitted:
-#
-# * **0**   - disable sysrq
-# * **1**   - enable sysrq completely
-# * **>1**  - bitmask of enabled sysrq functions:
-# * **2**   - control of console logging level
-# * **4**   - control of keyboard (SAK, unraw)
-# * **8**   - debugging dumps of processes etc.
-# * **16**  - sync command
-# * **32**  - remount read-only
-# * **64**  - signalling of processes (term, kill, oom-kill)
-# * **128** - reboot/poweroff
-# * **256** - nicing of all RT tasks
-- sysctl: name='kernel.sysrq' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-  when: not os_security_kernel_enable_sysrq
-
-- sysctl: name='kernel.sysrq' value='{{ os_security_kernel_secure_sysrq }}' sysctl_set=yes state=present reload=yes ignoreerrors=yes
-  when: os_security_kernel_enable_sysrq
-
-- name: Prevent core dumps with SUID. These are usually only needed by developers and may contain sensitive information.
-  sysctl: name='fs.suid_dumpable' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-
-- name: # Prevent core dumps with SUID. These are usually only needed by developers and may contain sensitive information.
-  sysctl: name='fs.suid_dumpable' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
-  when: os_security_kernel_enable_core_dump
 
+- name: include sysctl variables
+  include_vars: sysctl.yml
+
+- name: Change various sysctl-settings, look at the sysctl-vars file for documentation
+  sysctl:
+    name: '{{ item.key }}'
+    value: '{{ item.value }}'
+    sysctl_set: yes
+    state: present
+    reload: yes
+    ignoreerrors: yes
+  with_dict: sysctl_config
+
+- name: Change various sysctl-settings on rhel-hosts, look at the sysctl-vars file for documentation
+  sysctl:
+    name: '{{ item.key }}'
+    value: '{{ item.value }}'
+    sysctl_set: yes
+    state: present
+    reload: yes
+    ignoreerrors: yes
+  with_dict: sysctl_rhel_config
+  when: ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS'
diff --git a/roles/ansible-os-hardening/vars/sysctl.yml b/roles/ansible-os-hardening/vars/sysctl.yml
@@ -0,0 +1,116 @@
+sysctl_config:
+  # Disable IPv4 traffic forwarding.
+  net.ipv4.ip_forward: 0
+
+  # Disable IPv6 traffic forwarding.
+  net.ipv6.conf.all.forwarding: 0
+
+  # ignore RAs on Ipv6.
+  net.ipv6.conf.all.accept_ra: 0
+  net.ipv6.conf.default.accept_ra: 0
+
+  # Enable RFC-recommended source validation feature.
+  net.ipv4.conf.all.rp_filter: 1
+  net.ipv4.conf.default.rp_filter: 1
+
+  # Reduce the surface on SMURF attacks.
+  # Make sure to ignore ECHO broadcasts, which are only required in broad network analysis.
+  net.ipv4.icmp_echo_ignore_broadcasts: 1
+
+  # There is no reason to accept bogus error responses from ICMP, so ignore them instead. 
+  net.ipv4.icmp_ignore_bogus_error_responses: 1
+
+  # Limit the amount of traffic the system uses for ICMP.
+  net.ipv4.icmp_ratelimit: 100
+
+  # Adjust the ICMP ratelimit to include ping, dst unreachable,
+  # source quench, ime exceed, param problem, timestamp reply, information reply
+  net.ipv4.icmp_ratemask: 88089
+
+  # Disable IPv6
+  net.ipv6.conf.all.disable_ipv6: 1
+
+  # Protect against wrapping sequence numbers at gigabit speeds
+  net.ipv4.tcp_timestamps: 0
+
+  # Define restriction level for announcing the local source IP
+  net.ipv4.conf.all.arp_ignore: 1
+
+  # Define mode for sending replies in response to
+  # received ARP requests that resolve local target IP addresses
+  net.ipv4.conf.all.arp_announce: 1
+
+  # RFC 1337 fix F1
+  net.ipv4.tcp_rfc1337: 1
+
+  # Syncookies is used to prevent SYN-flooding attacks.
+  net.ipv4.tcp_syncookies: 1
+
+  # Send(router) or accept(host) RFC1620 shared media redirects
+  net.ipv4.conf.all.shared_media: 1
+  net.ipv4.conf.default.shared_media: 1
+
+  # Accepting source route can lead to malicious networking behavior,
+  # so disable it if not needed.
+  net.ipv4.conf.all.accept_source_route: 0
+
+  # Accepting redirects can lead to malicious networking behavior, so disable
+  # it if not needed.
+  net.ipv4.conf.default.accept_redirects: 0
+  net.ipv4.conf.all.accept_redirects: 0
+  net.ipv4.conf.all.secure_redirects: 0
+  net.ipv4.conf.default.secure_redirects: 0
+  net.ipv6.conf.default.accept_redirects: 0
+  net.ipv6.conf.all.accept_redirects: 0
+
+  # For non-routers: don't send redirects, these settings are 0
+  net.ipv4.conf.all.send_redirects: 0 
+  net.ipv4.conf.default.send_redirects: 0
+
+  # log martian packets
+  net.ipv4.conf.all.log_martians: 0
+
+  # ipv6 config
+  # NSA 2.5.3.2.5 Limit Network-Transmitted Configuration
+  net.ipv6.conf.default.router_solicitations: 0
+  net.ipv6.conf.default.accept_ra_rtr_pref: 0
+  net.ipv6.conf.default.accept_ra_pinfo: 0
+  net.ipv6.conf.default.accept_ra_defrtr: 0
+  net.ipv6.conf.default.autoconf: 0
+  net.ipv6.conf.default.dad_transmits: 0
+  net.ipv6.conf.default.max_addresses: 1
+
+  # This settings controls how the kernel behaves towards module changes at
+  # runtime. Setting to 1 will disable module loading at runtime.
+  # Setting it to 0 is actually never supported.
+  kernel.modules_disabled: 1
+
+  # Magic Sysrq should be disabled, but can also be set to a safe value if so
+  # desired for physical machines. It can allow a safe reboot if the system hangs
+  # and is a 'cleaner' alternative to hitting the reset button.
+  # The following values are permitted:
+  # * **0**   - disable sysrq
+  # * **1**   - enable sysrq completely
+  # * **>1**  - bitmask of enabled sysrq functions:
+  # * **2**   - control of console logging level
+  # * **4**   - control of keyboard (SAK, unraw)
+  # * **8**   - debugging dumps of processes etc.
+  # * **16**  - sync command
+  # * **32**  - remount read-only
+  # * **64**  - signalling of processes (term, kill, oom-kill)
+  # * **128** - reboot/poweroff
+  # * **256** - nicing of all RT tasks
+  kernel.sysrq: 0
+
+  # Prevent core dumps with SUID. These are usually only 
+  # needed by developers and may contain sensitive information.
+  fs.suid_dumpable: 0
+
+  # Virtual memory regions protection
+  kernel.randomize_va_space: 2
+
+sysctl_rhel_config:
+  # ExecShield protection against buffer overflows
+  kernel.exec-shield: 1
+
+